Fri, Aug 31, 2018

After the Olympics, Cyber Risk Remains

A simple review of media reports during the Olympic Summer Games in Rio de Janeiro make it clear that from a cyber security viewpoint, the games were a high cyber risk environment. In fact, multiple reporters themselves disclosed that their credit and ATM cards had been hacked and used by criminals; in one case, the hacking took place when a reporter used a credit card for an online transaction in Brazil prior to leaving home.

What we don’t know, because it hasn’t been publicly reported, is how many athletes, support staff, and visitors fell victim to hackers when their smartphones, tablets, and laptops were connected to insecure Wi-Fi systems, or to false-flagged hacker-operated systems masquerading as legitimate hotel, restaurant, coffee shop or similar venue systems. What we do know is that hackers around the world have frequently used this “free” Wi-Fi technique to introduce malware into devices and/or to harvest passwords or sensitive corporate (or personal) information from devices connected to hacker-controlled wireless networks.

Regardless of the final figures, here are some basic takeaways from the Olympics, the World Cup, and similar mass travel events that are issues your organization and your traveling staff must keep in mind on a day-to-day basis.

  1. “Free” Wi-Fi can turn out to be very expensive. It’s very difficult for average users to determine if a Wi-Fi site they are connecting to is safe or not. It might be, but it also might be a site run by criminals that spoofs a legitimate one. These sites are sometimes referred to as “evil twin” Wi-Fi sites that are designed to fool a user into believing that it is a legitimate (and more likely safe) way of connecting to the internet. If you’re connecting to any kind of public Wi-Fi network, use a VPN service. These are readily available for the IOS, Android, OSX, and Windows environments. Corporations should insist that their personnel use them precisely because it’s so easy to create a false-flagged Wi-Fi site. With a VPN, you activate your VPN app, and all data between your device and the internet is encrypted.
  2. No one can steal data that you don’t have. We regularly hear that data that was stolen from travelers wasn’t actually needed on the trip, but was stored on a laptop or tablet anyway. Many sorts of malware can give an intruder virtually total access to your computer. Unless you need a particular file for your trip, don’t put it on your computer. Then, even if your machine is compromised, that data is not available to be stolen. You can always reload it onto your laptop or tablet when you get home. If you need highly sensitive data while traveling, consider storing it on an encrypted USB storage device that you can carry with you.
  3. Don’t trust computers at your hotel or at an airport lounge. Computers at hotel business centers or airport lounges are often connected to high-speed internet connections and are certainly convenient. But convenient doesn’t mean safe. During a security review performed for an international airline, we discovered that the computers in the airport lounge at the home-base airport had all been modified with devices placed between the keyboard and computer that captured every keystroke typed, including bank names and log-in identifiers. Stopping the problem required a redesign of the desks to avoid giving users access to the physical ports on the computer. Also, don’t use a USB storage device at public access computers. Malware can be loaded onto your storage device, or your device can be searched and potentially looted by criminals.
  4. Don’t leave sensitive or valuable data in an in-room hotel safe. In the past few years, in-room safes have been redesigned to be large enough to store a laptop computer, tablet, or storage device. But before storing your devices in the safe, think about this: Hotels virtually always have a master code, key, or device that can quickly open every in-room safe they possess. Could a rogue employee or a criminal gang in league with a rogue employee use the master key (or equivalent) to gain access to a guest’s devices and either compromise the data on them or insert malware? It’s not out of the question. Because some master key devices simply open the safe but can’t restore the user’s password, it may be necessary for the thieves to set a random password to get the safe relocked after they have accessed your equipment. It’s vital that travelers recognize that if they return and can’t open the safe, it doesn’t mean they forgot the combination – it may indicate a compromise. If a call to the front desk will bring an employee to the room to unlock the safe, you should be concerned that a compromise has occurred. A good rule is that once you set a password, lock the safe before storing anything in it. Then go through a couple of unlock-relock cycles to verify that you know the combination and that it works. If it stops working, start worrying!
  5. Make sure your devices automatically lock themselves quickly. The reality is that people forget and leave computers, laptops, and smartphones in restaurants, taxis, and hotels. They are in a rush and forget them at airport security screening checkpoints. No one is immune from making a human error. So all devices should automatically lock themselves to prevent someone who finds them from using them. While it may be inconvenient to repeatedly log on, it provides significant protections and auto-log-off should be mandated by companies.
  6. Don’t plug an unknown device into your computer! Data thieves have been known to leave USB storage devices where they can be found by potential data theft victims. The devices contain malware that can do anything from giving them access to your computer when you are online, to encrypting all of your files and demanding a ransom payment to (possibly) get a decryption key.

Traveling may be necessary for business or a great part of a vacation, but by following these tips, you can make it less likely that your trip will be marred by a data theft incident.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.